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I  think  most  people  today  understand  that  cyber  clearly  underpins  the  full 
spectrum  of  military  operations,  including  planning,  employment,  monitor¬ 
ing  and  assessment  capabilities.  I  can't  think  of  a  single  military  operation 
that  is  not  enabled  by  cyber.  Every  major  military  weapon  system,  command 
and  control  system,  communications  path,  intelligence  sensor,  processing  and 
dissemination  functions — they  all  have  critical  cyber  components. 

— Gen  William  L.  Shelton 

Commander,  Air  Force  Space  Command 


Modern-day  cyber  warriors  are  elusive  figures.  Are  they  tech¬ 
nological  ninjas,  typing  feverishly  on  a  keyboard  in  a  dark¬ 
ened  room  or  perhaps  gunslingers  throwing  cyber  bullets 
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pher  Corbett,  315  NWS/DO;  Mr.  Richard  DeLeon,  26  NOG/TA.;  and  Mr.  Richard  White,  67  NWW/TA. 
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downrange  at  shadowy  foes?  There  are  many  images  of  cyber  warfare 
in  popular  culture.  Most  of  them  focus  on  the  individual’s  uncanny 
grasp  of  technology— the  ability  to  exploit  any  system  with  a  dizzying 
flurry  of  keystrokes  or  to  fend  off  adversaries  with  a  smartphone,  a  pa¬ 
per  clip,  and  an  ingenious  plan.  These  socially  awkward  heroes  and 
heroines  fill  the  silver  screen  with  visions  of  a  new  kind  of  warfare. 

Contradicting  these  stereotypes,  Air  Force  cyber  operations  are  care¬ 
fully  planned  and  controlled  by  disciplined,  rigorously  trained  opera¬ 
tors.  Rather  than  acting  alone,  these  professionals  produce  effects  in 
support  of  national  interests  through  teamwork,  careful  coordination, 
and  deliberate,  considered  targeting  based  on  established  national  pol¬ 
icy.  This  article  discusses  the  events  and  thinking  that  have  resulted  in 
today's  cyber  forces,  describes  how  they  operate  in  cyberspace  today, 
and  presents  a  vision  for  how  they  will  continue  to  provide  cyberspace 
dominance  in  future  wars.  Although  many  of  the  cyber  warfare  capa¬ 
bilities  of  tomorrow  are  speculative  in  nature,  the  enabling  technolo¬ 
gies  and  policies  for  them  exist  today. 


A  Brief  History  of  Cyber 

If  we  could  first  know  where  we  are,  and  whither  we  are  tending,  we  could 
then  better  judge  what  to  do,  and  how  to  do  it. 

— President  Abraham  Lincoln 

Traditionally  associated  with  the  explosive  growth  of  network  and 
computing  equipment  in  the  1990s,  cyberspace  was  commonly  used  to 
achieve  operational  objectives  during  World  War  II.  For  example,  in  the 
Battle  of  the  Beams,  German  bombers  navigated  from  continental  Eu¬ 
rope  to  Great  Britain  by  following  a  radio  signal  transmitted  from  the 
point  of  origin.  The  pilots  would  know  they  were  above  their  targets 
when  they  intercepted  a  second  beam,  also  transmitted  from  continen¬ 
tal  Europe.  This  system  ensured  that  German  night  raiders  found  their 
targets  in  the  dark  and  returned  home  safely.  British  engineers  quickly 
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discovered  the  German  use  of  radio  frequency  and  developed  counter¬ 
measures.  By  broadcasting  similar  signals  at  precise  times,  British  cy¬ 
ber  operators  fooled  the  German  bombers,  causing  them  to  drop  their 
ordnance  at  a  location  chosen  by  the  British.  Similarly,  the  British  cy¬ 
ber  countermeasures  made  return  trips  nearly  impossible  for  the  Ger¬ 
mans,  many  bombers  never  finding  home  base  and  a  few  even  landing 
at  Royal  Air  Force  fields,  their  pilots  thinking  that  they  had  returned 
home.1  This  use  of  the  frequency  spectrum  (a  critical  portion  of  cyber¬ 
space)  to  create  effects  illustrates  the  operational  power  of  cyberspace 
long  before  anyone  considered  it  a  domain.2 

Thus,  military  operations  as  far  back  as  World  War  II  incorporated 
aspects  of  cyberspace  into  operations,  but  almost  60  years  passed  be¬ 
fore  leaders  formally  recognized  the  importance  of  this  domain.  In 
2003  President  George  W.  Bush  released  the  National  Strategy  to  Secure 
Cyberspace,  followed  in  2006  by  the  National  Military  Strategy  for  Cyber¬ 
space  Operations.3  These  two  documents  established  the  strategic  im¬ 
portance  of  cyberspace  to  national  interests,  but  they  did  not  form  in  a 
vacuum.  To  understand  how  cyberspace  began  to  coalesce  conceptu¬ 
ally  and  how  leaders  began  to  understand  its  important  role  in  modern 
military  operations,  we  must  first  look  at  how  we've  arrived  at  our  cur¬ 
rent  perspective  on  cyberspace  and  cyber  warfare. 

Before  cyberspace  earned  recognition  as  an  operational  domain  of 
warfare,  the  military  considered  information  a  target  and  an  instru¬ 
ment  of  war.  In  1993  the  Air  Force  established  the  Air  Force  Informa¬ 
tion  Warfare  Center  (AFIWC)  as  "an  information  superiority  center  of 
excellence,  dedicated  to  offensive  and  defensive  counter  information 
and  information  operations.''4  Lessons  learned  from  Operation  Desert 
Storm  led  to  the  realization  that  information  is  vital  to  modern  military 
operations  and,  as  such,  must  be  defended  from  adversaries.5  By  the 
same  token,  exploitation  of  enemy  information  can  be  a  viable  option 
for  gaining  an  operational  advantage. 

An  attack  on  Air  Force  networks  by  unknown  adversaries  validated 
this  viewpoint.  During  the  "Rome  Lab  incident”  of  March  1994,  admin- 
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istrators  at  Rome  Laboratory,  New  York,  found  an  unauthorized  wiretap 
program— a  “sniffer”— on  their  network  that  had  stolen  lab  employees' 
user  names  and  passwords.  The  attackers— a  16-year-old  from  the 
United  Kingdom  and  an  unknown  person  identified  only  as  “Kuji”— suc¬ 
cessfully  obtained  information  on  a  number  of  sensitive  defense  re¬ 
search  projects  and  used  the  Rome  Lab  connection  to  attack  other  insti¬ 
tutions,  stealing  all  of  the  data  stored  on  the  Korean  Atomic  Research 
Institute's  computers  and  depositing  it  in  the  Rome  Lab  computers.6 

This  incident  as  well  other  high-profile  attacks  of  the  time,  such  as 
the  theft  of  data  concerning  the  Strategic  Defense  Initiative  from  the 
Lawrence  Berkeley  National  Laboratory,  led  to  a  debate  among  the  Air 
Force  staff  regarding  whether  or  not  to  incorporate  the  tools  and  tech¬ 
niques  under  development  at  the  AFIWC  as  war-fighter  capabilities.7 
On  15  August  1995,  the  debate  ended  when  the  Air  Force  chief  of  staff 
directed  development  of  an  information  warfare  squadron  to  support 
Ninth  Air  Force’s  combat  operations.  As  a  result,  the  service  estab¬ 
lished  the  609th  Information  Warfare  Squadron  in  October  1995  with  a 
mission  to  “conceive,  develop,  and  held  Information  Warfare  combat 
capabilities  in  support  of  a  Numbered  Air  Force.''8 

The  squadron  pioneered  defensive  counterintelligence  operations 
from  1995  through  1999  and  then  transferred  its  mission  to  the  Air 
Force  computer  emergency  response  team,  a  subdivision  of  the 
AFIWC.9  During  this  time,  a  number  of  events— exercise  Eligible  Re¬ 
ceiver  and  operations  Solar  Sunrise  and  Moonlight  Maze— led  to  an  in¬ 
creased  interest  in  information  operations  at  the  Department  of  De¬ 
fense  (DOD)  level.10  Eligible  Receiver  highlighted  critical 
vulnerabilities  in  US  Pacific  Command's  systems  as  well  as  in  911  and 
power  grids  in  nine  US  cities.  Analysts  were  still  digesting  the  results 
of  this  exercise  when  officials  discovered  attackers  stealing  tens  of 
thousands  of  hies  from  systems  at  the  Pentagon,  National  Aeronautics 
and  Space  Administration,  and  Department  of  Energy.11  Detection  of 
additional  exploitations  of  known  vulnerabilities  in  the  DOD's  unclas¬ 
sified  networks  further  highlighted  the  need  to  develop  indicators  and 
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warnings  of  attack  as  well  as  organize  to  address  weaknesses  in  infor¬ 
mation  warfare  operations.12 

To  address  these  shortfalls,  the  DOD  activated  Joint  Task  Force- 
Computer  Network  Defense  under  Maj  Gen  John  "Soup"  Campbell  in 
December  1998,  reporting  directly  to  the  secretary  of  defense  and  en¬ 
visioned  as  having  a  war-fighting  role.13  In  2000  the  task  force  took  on 
an  additional  offensive  role  and  a  new  name— Joint  Thsk  Force-Com¬ 
puter  Network  Operations— to  reflect  this  change.  The  DOD  adjusted 
the  mission  again  in  2004,  this  time  adding  management  as  well  as  de¬ 
fense  of  the  department's  networks.  The  offensive  mission  moved  to  a 
new  organization,  Joint  Forces  Component  Command-Network  War¬ 
fare.14  Finally,  in  2009  the  establishment  of  United  States  Cyber  Com¬ 
mand  (USCYBERCOM)  rejoined  both  organizations  under  a  single  sub¬ 
unified  command.15 

Although  the  history  of  cyber  is  full  of  organizational  changes,  we 
have  little  documentation  of  why  the  military  chose  to  organize  as  it 
did  to  address  cyberspace  challenges.  Attacks  on  military  networks 
such  as  Moonlight  Maze  and  Solar  Sunrise  provide  insight  only  into 
why  defensive  operations  were  necessary,  but  the  organizational 
changes  also  reflect  a  shifting  concept  of  the  interactions  among  de¬ 
fensive,  offensive,  and  network  management  operations  in  the  realm 
of  cyberspace.  Additionally,  the  evolution  from  information  warfare  to 
cyber  warfare  indicates  a  subtle  shift  in  mission:  from  information  as  a 
commodity;  to  attack  and  defense  of  the  systems  used  to  process, 
store,  and  transmit  information;  and  finally  to  the  domain  in  which 
those  systems  and  the  information  they  manipulate  reside. 


Cyber  Warfare  Today 

Reflecting  the  military’s  changing  understanding  of  the  nature  of  cy¬ 
ber  warfare,  today's  operations  are  defined  by  a  mixture  of  mature  and 
developing  capabilities,  doctrine,  and  organizations.  As  with  air  and 
space  domains  at  their  inception,  the  cyberspace  domain  continues  to 
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mature  along  a  trajectory  of  increasing  capability  and  capacity;  how¬ 
ever,  many  shortfalls  exist.  Fortunately,  military  leaders  understand 
them  and  are  sharing  their  perspective  in  the  national  debate.  For  ex¬ 
ample,  in  Cyber  Vision  2025,  Mark  Maybury,  the  former  chief  scientist 
of  the  Air  Force,  describes  the  technological,  policy,  and  personnel 
changes  necessary  through  2025  to  realize  future  Air  Force  cyber  capa¬ 
bilities.16  Gen  Michael  Hayden,  USAF,  retired,  former  director  of  the 
National  Security  Agency  and  Central  Intelligence  Agency,  discusses 
10  questions  that  must  be  answered  before  we  can  truly  integrate  cy¬ 
ber  into  national  instruments  of  power.17  In  a  recent  symposium  spon¬ 
sored  by  the  Armed  Forces  Communications  and  Electronics  Associa¬ 
tion,  Gen  William  Shelton,  commander  of  Air  Force  Space  Command, 
addressed  the  steps  taken  by  his  command  to  operationalize  and  inte¬ 
grate  cyber  forces  as  well  as  the  issues  we  face  in  the  near  term.18  Sim¬ 
ilarly,  Maj  Gen  Suzanne  Yautrinot,  the  former  commander  of  TWenty- 
Fourth  Air  Force,  now  retired,  outlined  the  challenges  and  strategies 
for  increasing  defensive  and  offensive  capabilities  in  a  constrained  fis¬ 
cal  environment.19  The  combined  efforts  of  these  and  many  other  se¬ 
nior  Air  Force  leaders  are  driving  the  maturation  of  the  service’s  cyber 
operations  by  accelerating  the  pace  of  innovation. 

The  Air  Force's  cyber  capability  exists  on  a  continuum  (see  the  fig¬ 
ure  below)  ranging  from  nascent  and  niche  effects  to  proactive  and  re¬ 
sponsive  support  of  combatant  commanders.  In  today's  cyber  force, 
operators  occupy  the  middle  of  this  continuum  with  niche  targets  in¬ 
cluded  in  operation  plans  and  a  mixture  of  proactive  and  reactive  de¬ 
fensive  capabilities.  To  move  combat  effectiveness  to  the  right  on  this 
chart,  the  Air  Force  must  implement  future  initiatives  such  as  US- 
CYBERCOM's  cyber  mission  force  structure  and  the  joint  information 
environment  architecture,  both  of  which  will  enhance  the  ability  of  cy¬ 
ber  forces  to  provide  theater-  and  campaign-level  support.  The  Air 
Force  also  will  continue  ongoing  initiatives,  including  Air  Force  Net¬ 
work  (AFNet)  migration,  and  the  maturation  of  cyber  weapon  systems 
to  increase  cyber  capacity  in  terms  of  the  number  of  missions  con¬ 
ducted  in  support  of  war  fighters. 
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CYBERSPACE  SUPERIORITY  PORTFOLIO 
STEADY  TOPLINE 


COMBAT  EFFECTIVENESS 

(TYPE  OF  SORTIE) 


Figure.  Cyberspace  investment  challenge.  (Adapted  from  Maj  Gen  Suzanne  M. 
Vautrinot,  "Sharing  the  Cyber  Journey,"  Strategic  Studies  Quarterly  6,  no.  3  [Fall  2012]: 
74,  http://www.au.afm i l/au/ssq/2012/fal l/fal ll 2.pdf.) 

Even  though  the  capability  continuum  depicts  only  offensive  and  de¬ 
fensive  cyber  forces,  modern  cyber  warfare  is  conducted  by  leveraging 
three  operational  mission  areas:  Department  of  Defense  Information 
Network  (DODIN)  operations,  defensive  cyber  operations  (DCO),  and 
offensive  cyber  operations  (OCO),  each  of  which  independently  en¬ 
ables  effects  for  the  air,  space,  sea,  and  land  domains.20  All  three  are 
inextricably  linked  to  generate  effects  across  the  spectrum  of  conflict, 
from  small  special  operations  missions  to  global  conventional  warfare. 

The  rapid  rise  in  weapon  systems  and  command  and  control  (C2) 
systems  that  rely  on  network  and  wireless  connections  makes  the  inte¬ 
gration  and  synchronization  of  complex  operations  difficult  apart  from 
the  cyber  domain— and  underscores  the  importance  to  modern  mili- 
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tary  warfare  of  the  DODIN.  That  network  is  "the  globally  intercon¬ 
nected,  end-to-end  set  of  information  capabilities,  and  associated  pro¬ 
cesses  for  collecting,  processing,  sorting,  disseminating,  and  managing 
information  on-demand  to  warfighters,  policy  makers,  and  support 
personnel,  including  owned  and  leased  communication  and  computer 
systems  and  services,  software  (including  applications),  data,  security 
services,  other  associate  services,  and  national  security  systems.”21  DO¬ 
DIN  operations  construct,  operate,  and  sustain  the  cyber  domain,  of¬ 
fering  mission  assurance  and  defense  through  prioritized  network  pro¬ 
visioning  (dynamic  construction),  hardening,  and  configuration 
management. 

Twenty-Fourth  Air  Force  manages  the  AFNet— the  Air  Force's  por¬ 
tion  of  the  DODIN.  With  850,000  total  force  users  and  billions  of  dol¬ 
lars  in  systems  and  infrastructure,  TWenty-Fourth  Air  Force's  units  dy¬ 
namically  construct  and  operate  a  global  enterprise  and  provision 
enterprise  services  to  the  Air  Force  and  joint  forces  worldwide.  Addi¬ 
tionally,  they  defend  the  network  through  management  of  both  base 
and  AFNet  boundaries,  sensor  placement  and  management,  client 
configuration,  and  enterprise-compliance  management.  The  services 
offered  by  these  units  assure  that  operational  planners  receive  infor¬ 
mation  for  missions  requiring  complex  communication  topologies, 
high  bandwidth,  and  high  reliability. 

Oftentimes  people  misconstrue  DODIN  operations  as  a  support  or 
information  technology  function.  For  example,  Lt  Gen  Michael  Basla, 
the  Air  Force's  chief  information  officer,  said,  "I  think  we  will  draw  a 
clearer  line  and  distinction  between  what  is  required  to  build,  operate 
and  maintain  [Air  Force  networks]  and  what  is  required  to  operate  on 
the  network.”22  Moreover,  Gen  Mark  Welsh,  the  Air  Force  chief  of  staff, 
has  observed  that  up  to  90  percent  of  Air  Force  cyber  personnel  oper¬ 
ate  Air  Force  networks  and  that  "they're  not  what  NSA  would  call  a  cy¬ 
ber  warrior.”23  Although  these  statements  blur  the  distinction  between 
network  maintenance  and  defense,  the  DODIN  fills  an  integral  role  in 
the  conduct  of  military  operations.  The  obvious  benefits  include  con- 
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structing  and  operating  the  domain  that  enables  all  other  domains.  Ad¬ 
ditionally,  DODIN  operations  provision  access  to  information  sources, 
harden  friendly  portions  of  the  domain  from  unauthorized  access,  and 
configure  network  systems  to  provide  ease  of  maneuver  to  friendly 
forces  while  constraining  the  adversary's  options.  These  actions  create 
a  cyber  high  ground  resulting  in  strategic,  operational,  and  tactical  ad¬ 
vantages  by  making  mission-critical  information  easier  to  defend  and 
harder  to  attack. 

To  that  point,  the  Air  Force  advanced  the  AFNet's  defensive  posture 
through  two  significant  DODIN  architecture  initiatives.  First,  the  de¬ 
ployment  of  Air  Force  gateways  reduced  the  number  of  external  net¬ 
work  access  points  from  120  to  16.  This  architectural  change  enabled 
the  service  to  canalize  traffic,  characterize  the  domain,  and  control 
data  flows  to  significantly  reduce  the  AFNet  attack  surface  exposed  to 
enemy  strikes.  The  second  initiative  consolidated  850,000  users  into  a 
single  integrated  Air  Force  network,  enabling  enterprise-wide  collabo¬ 
ration  and  improved,  trusted  secure  communications.  Defensively, 
this  initiative  delivers  embedded  security  that  substantially  reduces  an 
adversary's  ability  to  act  on  the  network  by  using  compromised  user 
credentials.  Collectively,  these  defensive  improvements  inverted  the 
cost/ risk  calculus  of  attack  versus  defense  by  forcing  the  adversary  to 
work  harder  to  find  vulnerabilities  while  making  it  easier  for  the  de¬ 
fender  to  guard  critical  assets. 

The  DCO  mission  area  provides  active  defense  against  opponents. 
TWenty-Fourth  Air  Force's  units  prevent,  detect,  and  respond  to  enemy 
actions  through  both  active  and  passive  defensive  capabilities.  These 
units  conduct  defense  through  a  set  of  layered,  overlapping  technolo¬ 
gies  called  "defense  in  depth,”  an  architecture  that  ensures  monitoring 
and  defense  of  avenues  of  access  as  well  as  end  points  such  as  clients 
and  servers.  While  DODIN  operators  limit  attack  vectors  and  reduce 
vulnerabilities  by  strategic  placement  of  defensive  capabilities  on  the 
network,  DCO  operators  actively  engage  adversaries  inside  Air  Force 
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networks  to  prevent  intrusions,  detect  malicious  capabilities  and  tech¬ 
niques,  and  respond  to  system  compromises. 

DCO  operators  monitor  defenses  for  signs  of  attack  and  configure  de¬ 
fenses  to  foil  future  attempts.  The  primary  strategy  for  preventing  in¬ 
trusion  calls  for  detecting  known  adversary  tactics  (signatures),  limit¬ 
ing  visibility  into  the  AFNet,  and  continuously  monitoring  intelligence 
streams  for  indications  of  pending  attacks.  Operators  analyze  capabili¬ 
ties  and  methods  used  by  the  enemy  and  develop  signatures  that 
match  patterns  unique  to  a  particular  attack  and  thus  provide  com¬ 
plete  protection  from  strikes  matching  the  signature.  Unfortunately, 
this  method  will  not  block  attacks  that  have  been  modified  from  the 
original  salvo.  To  maneuver  around  signature-based  defenses,  cyber  at¬ 
tackers  must  “reengineer''  their  weapons  so  that  unique  signatures 
compromised  in  previous  attacks  are  no  longer  detected.  Depending 
upon  the  complexity  of  the  developed  signature,  the  adversary  may  be 
able  to  alter  his  weapons,  forcing  defenders  to  develop  new  signatures. 
This  arms  race  between  attack  and  defense  has  traditionally  favored 
the  attackers;  however,  as  DODIN  forces  continue  to  reduce  pathways 
that  opponents  can  use,  and  as  DCO  operators  persist  in  locating  and 
eliminating  vulnerabilities,  the  balance  begins  to  shift  in  favor  of  the 
defense. 

When  new  attacks  occur  that  defenders  could  not  prevent,  sensors 
placed  throughout  the  network  supply  intrusion  indications  and  point 
DCO  operators  to  the  compromised  systems,  which  they  examine  (by 
means  of  digital  forensic  analysis)  to  determine  how  the  intrusion  oc¬ 
curred  and  what  tools  were  used.  They  then  develop  countermeasures 
to  prevent  future  attack.  DCO  forces  remotely  access  forensic  data 
from  all  sensor  devices  to  counter  future  compromises.  Defenders  use 
specialized  tools  to  remotely  capture  the  exact  state  of  a  computer 
(e.g.,  current  data  in  memory,  running  programs,  open  network  con¬ 
nections,  etc.)  to  determine  exactly  what  is  happening  at  a  given  mo¬ 
ment.  This  capability  takes  snapshots  of  malicious  code  as  it  executes, 
helping  defenders  understand  the  exact  behavior  of  implanted  soft- 
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ware.  By  analyzing  this  behavior,  they  can  develop  signatures  and  new 
tactics,  techniques,  and  procedures  (TTP)  to  prevent  the  same  type  of 
compromise  in  the  future.  The  use  of  remote  forensics  capabilities  re¬ 
duces  defenders'  incident  response  from  days  to  hours,  slashing  the 
amount  of  time  that  attackers  have  to  maneuver  through  the  network, 
perform  reconnaissance,  or  exfiltrate  sensitive  data. 

Additionally,  Twenty-Fourth  Air  Force  has  both  hunting  and  pursuit 
capabilities  to  offer  real-time  defense  and  response  against  adversary 
actions  and  regularly  analyze  enterprise  resources  for  indications  of 
advanced  enemy  presence  or  attempted  access.  Even  though  bound¬ 
ary  defense  is  an  effective  means  of  recognizing  and  repelling  most  at¬ 
tacks,  a  sufficiently  sophisticated  and  dedicated  actor  will  eventually 
gain  a  toehold.  Highly  skilled  DCO  operators  conduct  active  pursuit 
operations  to  rove  the  enterprise  network  and  find,  fix,  track,  and  tar¬ 
get  such  actors.  These  operators  conduct  real-time  analysis  of  network 
devices,  looking  for  anomalies  that  indicate  enemy  activity,  eradicat¬ 
ing  the  threat,  and  initiating  an  incident-response  process  to  deter¬ 
mine  the  root  cause  and/ or  TTPs  used  to  gain  access.  Sometimes  an 
even  more  comprehensive  look  is  necessary  to  ensure  that  critical  as¬ 
sets  such  as  weapon  systems  and  C2  nodes  are  appropriately  hardened 
and  cleared  of  advanced  adversary  presence.  The  Air  Force  uses  hunt 
operations  to  characterize  the  cyber  environment  in  these  enclaves, 
complete  a  comprehensive  analysis  of  mission  data  flows,  standardize 
and  harden  the  weapon  system  or  critical  asset  interfaces,  determine 
potential  anomalous  activity  or  attack  vectors,  herd  adversary  behav¬ 
ior,  and  eradicate  persistent  threats  from  the  environment.  These  op¬ 
erations,  which  rely  heavily  on  individual  experience,  knowledge,  and 
training,  are  intensive  and  focused  to  ensure  that  these  critical  assets 
enjoy  freedom  of  action  in  contested  environments.  Even  as  technol¬ 
ogy  progresses,  we  will  rely  heavily  on  both  pursuit  and  hunting  capa¬ 
bilities  to  counter  the  advanced  adversary  threat  in  the  future.  Addi¬ 
tionally,  to  increase  the  capacity  and  capability  of  this  mission  area, 
USCYBERCOM  has  developed  a  cyber  protection  team  structure,  each 
team  including  a  mixture  of  capabilities  designed  to  give  combatant 
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commanders  DCO  effects.  According  to  Gen  Keith  Alexander,  the  com¬ 
mander  of  USCYBERCOM,  the  command  will  stand  up  13  teams  by  the 
end  of  2015,  significantly  increasing  the  Air  Force's  DCO  force, 
strengthening  blue  networks,  and  forcing  the  enemy  to  divert  man¬ 
power  and  attention  to  counter  this  new  capability.24 

As  with  DCO  and  DODIN  operations,  OCOs  have  developed  from  a 
nascent  to  an  operational  capability  well  integrated  into  joint  opera¬ 
tions.  The  OCO  mission  set  concentrates  on  gaining  and— more  impor¬ 
tantly-maintaining  access  to  enemy  areas  of  cyberspace  without  de¬ 
tection.  The  nature  of  OCOs  requires  operators  to  carefully  plan 
missions  to  characterize  and  exploit  enemy  networks.  Further,  the 
tools  used  to  perform  OCOs  are  sensitive  because  of  the  nature  of  the 
cyber  domain  (i.e.,  the  ease  of  copying  bits  and  bytes).  Consequently, 
tool  development  and  deployment  are  an  important  aspect  of  this  mis¬ 
sion  area. 

Although  OCO  operators  provide  a  very  real  set  of  strategic  alterna¬ 
tives  to  combatant  commanders,  the  effects  are  specific  and  limited  in 
scope.  To  exploit  an  adversary's  system,  offensive  operations  demand 
detailed  knowledge  of  the  target  network,  obtaining  such  information 
by  performing  network  reconnaissance  with  sophisticated  TTPs.  Once 
operators  have  identified  vulnerabilities,  they  must  then  develop  ei¬ 
ther  a  technique  or  a  weapon  or  select  one  from  an  existing  repository 
prior  to  choosing  the  specific  delivery  mechanism.  After  they  have  ac¬ 
cessed  their  target,  operators  establish  a  permanent  presence  on  the 
machine  while  cloaking  indications  of  the  incursion,  allowing  them  to 
maintain  access  indefinitely.  Such  persistent  presence  lets  them  effec¬ 
tively  exploit  information  on  the  target  in  support  of  war  fighters'  ob¬ 
jectives.  In  light  of  the  long  lead  time  necessary  to  perform  target  re¬ 
connaissance  and  establish  persistent  access,  offensive  operations 
typically  require  advanced  planning  and  a  lengthy  time  horizon  to  of¬ 
fer  effective  options. 

The  weapons  used  by  operators  are  similar  to  the  ordnance  that  a 
pilot  employs  to  carry  out  a  given  mission.  Certain  weapons  are  bet- 
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ter  for  a  desired  purpose  than  others,  and  some  work  against  a  partic¬ 
ular  set  of  targets  while  others  are  ineffective  against  that  objective. 
One  major  difference,  however,  is  their  fragility.  Since  defenders  can 
block  a  weapon  using  a  signature  once  they  have  detected  it,  use  of  a 
given  technique  or  weapon  to  gain  or  maintain  access  carries  a  risk 
that  the  attacker  will  discover  and  counter  it,  rendering  the  technique 
or  weapon  useless  for  future  operations.  As  a  result,  operational  plan¬ 
ners  must  assess  the  technical  gain/loss  associated  with  the  employ¬ 
ment  of  OCOs.  If  the  desired  effect  is  not  substantial  enough  to  justify 
the  potential  loss  of  an  OCO  weapon,  then  they  should  consider  other 
methods. 

Today's  OCO  force  is  a  high-demand,  low-density  asset.  As  it  did  with 
DCOs,  to  increase  the  capacity  and  capability  of  this  mission  area,  US- 
CYBERCOM  will  develop  a  cyber  mission  force  structure  for  OCOs,  in¬ 
cluding  teams  composed  of  a  mixture  of  capabilities  designed  to  pro¬ 
vide  a  broad  spectrum  of  OCO  effects  to  combatant  commanders. 
General  Alexander  expects  the  command  to  stand  up  several  of  these 
teams  by  the  end  of  2015,  significantly  augmenting  the  Air  Force's  OCO 
force.25  The  increased  capacity  for  OCO  operations  will  put  enemy 
strongholds  at  risk,  forcing  adversaries  to  divert  manpower  and  atten¬ 
tion  to  defenses  and  reducing  the  defensive  burden  on  US  networks. 

The  shortfalls  of  current  cyber  warfare  operations  are  not  readily 
captured  by  the  dimensions  of  the  capability  continuum  in  the  figure 
depicting  the  cyberspace  investment  challenge  (see  above).  Fully  illus¬ 
trating  where  the  cyber  domain  rests  in  this  continuum  requires  ex¬ 
tending  into  a  third  dimension— domain  coverage.  Contemporary  cy¬ 
ber  warfare  is  characterized  by  largely  network-based  capabilities  in 
conjunction  with  traditional  electronic  warfare.  During  peacetime,  the 
bulk  of  the  effort  focuses  on  shaping  the  cyber  battlefield,  defending 
critical  assets,  and  collecting  intelligence.  Should  the  United  States  en¬ 
ter  a  full-scale  cyber  war  today,  offensive  and  defensive  capability 
would  be  limited  to  subsets  of  the  full  cyberspace  domain.  These  sub¬ 
sets  are  critical  to  the  projection  of  power,  but  they  do  not  fully  en- 
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compass  the  overall  domain.  Such  current  capabilities,  though  effec¬ 
tive,  present  limited  cyber  options  to  our  combatant  commanders. 


Cyber  Warfare  in  the  Future 

Victory  smiles  upon  those  who  anticipate  the  changes  in  the  character  of 
war,  not  upon  those  who  wait  to  adapt  themselves  after  the  changes  occur. 

— Air  Marshal  Giulio  Douhet 

Although  cyber  warfare  is  currently  limited  to  information  net¬ 
works  and  network-attached  systems,  it  will  drastically  expand  in  the 
future.  Rather  than  decide  between  kinetic  and  nonkinetic  effects, 
planners  will  choose  the  effect  that  will  best  produce  the  desired  out¬ 
come.  Cyber-based  effects  will  not  be  limited  to  networks  of  comput¬ 
ers;  rather,  they  will  encompass  all  electronic  information  processing 
systems  across  land,  air,  sea,  space,  and  cyberspace  domains.  This  full- 
domain  dominance  will  permit  freedom  of  maneuver  in  all  war-fighting 
domains  by  holding  the  enemy's  electronic  information-processing  sys¬ 
tems  at  risk  while  defending  friendly  systems  from  attack. 

The  future  of  cyber  warfare  is  predicated  on  policy,  technology,  and 
threat.  New  technology  can  have  disproportionate  effects,  not  only  on 
the  weapons  used  in  cyberspace  but  also  on  the  makeup  of  the  do¬ 
main  itself.  National  policy  on  cyberspace  dictates  the  objectives  and 
rules  of  engagement  for  cyber  capabilities  as  well  as  the  organization 
and  execution  of  operations.  The  rapidly  evolving  threat  posed  by 
peer  actors  in  the  cyber  domain  will  dictate  how  cyber  forces  are 
trained  and  deployed  in  the  future  battlefield.  Despite  these  wildcard 
influences,  the  future  of  cyber  warfare  can  be  broadly  extrapolated 
from  current  experience  and  application  of  fundamental  tenets  of 
warfare.  To  remain  grounded  in  today’s  realities,  we  limit  the  vision  of 
cyber  warfare  discussed  here  to  a  decade  into  the  future,  allowing  us 
to  assume  that  technological  changes  will  follow  the  course  laid  out  in 
Cyber  Vision  2025.26 
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Future  cyber  warfare  will  not  be  relegated  solely  to  network-based 
resources.  According  to  Major  General  Yautrinot,  "Cyberspace  is  not 
simply  the  Internet;  rather,  it  is  a  network  of  interdependent  informa¬ 
tion  technologies  including  the  Internet,  telecommunications  net¬ 
works,  computer  systems,  and  embedded  processors.”27  Although 
much  of  the  present  effort  focuses  on  Internet-connected  networks, 
this  is  only  a  subset  of  the  total  cyber  domain,  which  also  includes 
non-Internet-connected  networks  such  as  tactical  data  links,  satellite- 
control  networks,  launch-control  networks,  and  other  networks  not 
traditionally  based  on  Internet  data-transfer  protocols  and  technolo¬ 
gies.  Future  warfare  will  see  DODIN  operations  as  well  as  DCO  and 
OCO  forces  expanding  their  mission  areas  to  these  nontraditional  net¬ 
works  and  the  systems  that  connect  through  them,  such  as  satellites, 
avionics,  targeting  pods,  digital  radios,  and  remotely  piloted  aircraft. 
Effects  produced  on  and  through  these  systems  will  include  disrup¬ 
tion,  distraction,  distortion,  distrust,  confusion,  and  chaos  of  both  a  vir¬ 
tual  and  physical  nature,  with  consequences  that  can  be  assessed  and 
measured  on  the  battlefield. 

In  this  future  war,  many  of  the  services  currently  supplied  by  DO¬ 
DIN  operations  will  be  decoupled  from  the  hardening,  defense,  and 
mission-assurance  roles.  Services  such  as  e-mail,  data  storage,  web, 
and  transport  will  be  provided  as  commodity  services/utilities,  much 
like  electricity  or  water.  Through  the  joint  information  environment, 
the  DOD  will  leverage  economies  of  scale  and  cloud  technologies  to 
improve  the  resiliency  of  services  and  expand  their  reach  so  the  war 
fighter  can  safely  assume  availability  and  reliability.  This  roll-up  of 
commodity  services  will  free  DODIN  operators  to  concentrate  on  de¬ 
fensive  hardening  and  attack  recovery  while  expanding  their  scope  to 
nontraditional  networks.  As  with  AFNet,  consolidation  and  standard¬ 
ization  of  tactical  and  C2  networks  will  result  in  a  reduced  attack  sur¬ 
face,  higher  reliability,  and  more  responsive  disaster  recovery.  Rather 
than  rely  on  weapon  system  designers  to  take  responsibility  for  the  se¬ 
curity  of  their  systems,  DOD  professionals  will  manage  and  enforce 
formalized  security  standards  and  interoperable  interfaces.  The  stan- 
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dards  will  ensure  that  weapon  systems  have  a  "baked-in  security”  capa¬ 
bility  while  the  interoperable  interfaces  will  reduce  the  “one-off'  sys¬ 
tems  and  capabilities  that  drive  increased  enterprise  vulnerabilities  and 
cost.  Sensors,  reporting  mechanisms,  and  configuration-management 
tools  will  be  designed  into  the  system  from  the  beginning,  allowing  DO- 
DIN  operators  to  enforce  a  rigorous  and  standard  security  posture 
across  all  combat  systems. 

Future  DCO  capabilities  will  tackle  one  of  the  greatest  costs  associ¬ 
ated  with  defense:  the  man-in-the-loop  sensor,  which  offers  alerts  that 
require  human  intuition  and  experience  to  interpret  and  identify  the 
occurrence  of  a  compromise.  This  reliance  on  human  intuition  forces 
defenders  to  maintain  large,  well-trained  manpower  pools  to  defend 
relatively  small  areas  of  cyber  terrain.  The  human  limitation  prevents 
analysis  of  these  alerts  at  the  speed  of  data  passing  through  the  net¬ 
work,  forcing  defenders  to  react  to  threats  rather  than  proactively  de¬ 
feat  them.  As  technology  advances,  the  infusion  of  human  intuition 
into  automated  sensors  will  allow  for  man-on-the-loop  defense,  which 
will  reduce  manpower  requirements  but  increase  overall  effectiveness. 

Building  upon  a  standardized  security  framework,  future  DCO  capa¬ 
bilities  and  sensors— deployed  across  all  combat  platforms— will  be  de¬ 
signed  to  supply  man-on-the-loop  rather  than  man-in-the-loop  detec¬ 
tion.  These  sensors  will  leverage  machine-learning  techniques  and 
predictive-behavior  modeling  to  recognize  and  separate  attacks  from 
normal  operational  data  flows.  Rather  than  rely  on  a  human  to  view 
and  interpret  results,  defenders  will  mitigate  attacks  on  the  fly  and  ig¬ 
nore  false  positives,  with  human  intervention  driven  by  triggers  and 
confidence  thresholds.28  Using  ubiquitous  network  sensors,  they  will 
also  perform  data  correlation  and  analysis  across  platforms  and  net¬ 
works  to  discover  trends  of  attacks,  using  them  to  further  characterize 
current  and  emerging  adversary  tactics  and  give  some  perspective  on 
both  persistent  and  fleeting  targets  of  enemy  interest. 

Armed  with  information  on  targets  under  attack  in  cyberspace,  de¬ 
fenders  will  perform  critical  asset  protection.  Expansion  outside  tradi- 
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tional  networks  will  require  that  defenders  focus  on  prioritized  assets, 
a  process  enabled  by  situational  awareness  tools  that  tie  missions  to 
systems  and  physical  locations  to  network  locations.  Defenders  need 
not  protect  every  workstation  equally;  instead,  they  can  focus  their  ef¬ 
forts  on  systems  supporting  a  high-priority  operation  or  on  data  links 
critical  to  attaining  a  war  fighter's  objective.  This  prioritization  of  effort 
will  allow  them  to  utilize  both  mass  and  maneuver  to  best  counter  en¬ 
emy  actions  in  a  timely  and  effective  manner. 

Improved  sensors  and  prioritized  defenses  will  allow  defenders  to 
push  enemy  actors  outside  blue  cyberspace.  Today's  defense  in  depth 
catches  many  attacks  inside  the  boundaries  of  our  networks.  In  the  fu¬ 
ture,  improved  sensor  capabilities,  combined  with  automated  re¬ 
sponses,  will  frustrate  most  attacks  at  the  boundary  of  blue  space,  let¬ 
ting  defenders  focus  on  identifying  threats  before  they  reach  friendly 
cyber  systems  and  reporting  the  threats  to  offensive  forces  early 
enough  for  OCO  operators  to  conduct  operations,  if  necessary.  By  in¬ 
creasing  the  engagement  distance,  defenders  will  ensure  system  and 
data  integrity  and  force  attackers  to  battle  through  offensive  intercep¬ 
tion  before  they  can  attempt  to  attack  friendly  systems. 

Building  on  the  capabilities  of  DCOs,  future  OCO  capabilities  will 
split  into  two  types  of  missions:  interception  and  attack.  The  former 
will  engage  enemy  actors  as  they  prepare  to  strike  friendly  forces 
whereas  attack  missions  will  hold  enemy  assets  at  risk  in  their  own  ar¬ 
eas  of  cyberspace.  Each  mission  will  engage  enemies  on  both  tradi¬ 
tional  and  nontraditional  networks  in  the  cyber  domain. 

Interceptor  missions  act  in  conjunction  with  DCO  sensor  targeting  to 
attack  enemies  before  they  reach  friendly  systems.  These  missions 
will  harass  the  enemy  by  capturing  tools  before  he  can  launch  them, 
changing  attack  targets  so  that  his  tools  attack  the  wrong  system  or 
commit  fratricide,  and  manipulating  the  data  presented  to  the  enemy 
operator,  forcing  him  to  react  to  forged  threats.  Rapid  forensic  capabili¬ 
ties  let  defenders  reverse-engineer  tools  captured  by  interceptors  and 
apply  defenses  against  those  tools  in  real  time,  foiling  any  further  at- 
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tempts.  These  interceptor  missions  will  represent  a  close  air  support 
function  in  cyber  that  keeps  friendly  cyberspace  safe  by  attacking  the 
threat  before  it  arrives. 

Attack  missions,  on  the  other  hand,  represent  the  strategic  strike  ca¬ 
pability  of  OCOs  and  will  create  both  virtual  and  physical  effects 
across  all  domains  through  application  of  offensive  capabilities  in  the 
cyber  domain.  Virtual  effects  will  include  manipulating  data  on  enemy 
C2,  intelligence,  surveillance,  and  reconnaissance  systems;  injecting 
false  data  into  C2  networks  and  tactical  data  links;  removing  data  from 
those  links;  and  isolating  systems  from  their  associated  networks. 
Physical  effects  might  include  destruction  through  manipulation  of 
digital  control  systems  or  remote  system  control  of  platforms  such  as 
satellites,  remotely  piloted  aircraft,  and  fly-by-wire  systems.  In  addi¬ 
tion  to  these  effects,  attack  will  provide  intelligence  collection,  data  ex- 
kltration,  and  other  more  traditional  capabilities,  but  these  will  be  em¬ 
ployed  across  the  cyber  domain  to  include  satellite  systems,  aircraft, 
and  C2  systems. 

In  support  of  the  full-domain  competencies  discussed  above,  cyber 
operators  will  have  comprehensive  situational  awareness  of  the  cyber 
domain.  Although  traditional  sensors  permit  monitoring  of  the  ave¬ 
nues  of  ingress  and  egress  and  small  subsets  of  endpoint  behavior,  it 
will  be  necessary  to  develop  new  sensors  that  alert  defenders  to  behav¬ 
ioral  anomalies  or  statistically  significant  departures  from  the  expected 
baseline.  Sensors  will  supply  these  alerts  in  an  actionable  form  so  that 
operators  can  quickly  determine  whether  or  not  a  large-scale  attack  is 
occurring  or  a  single  node  is  compromised.  Additionally,  it  will  be  pos¬ 
sible  to  visualize  the  cyber  domain  in  terms  of  logical  connections, 
such  as  network  and  radio  frequency  circuits  supporting  a  given  mis¬ 
sion,  or  data  flows  supporting  a  desired  mission  area  to  provide  mis¬ 
sion  assurance. 

Current  cyber  sensors  utilize  priorities  associated  with  specific  alerts 
to  warn  operators  of  possible  malicious  action.  To  determine  whether 
or  not  those  alerts  represent  a  true  threat  or  merely  a  false  positive, 
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DCO  operators  must  review  detailed  information  such  as  the  actual 
data  passing  between  computers,  the  machines  involved  in  the  suspect 
transaction,  and  the  basis  of  the  original  alert.  This  time-intensive  pro¬ 
cess  requires  highly  skilled  operators  and  is  prone  to  human  error.  Ad¬ 
ditionally,  the  alerts  signify  singular  events  that  occur  in  a  stream  of 
data  and  may  occur  ambiguously  under  normal  operating  conditions 
as  well  as  during  an  attack. 

Future  situational  awareness  tools,  though,  will  capitalize  on  ad¬ 
vanced  threat  indicators  such  as  divergence  from  expected  behaviors. 
These  sensors  will  use  a  known  baseline  of  user  activity  on  a  given 
node  to  determine  whether  or  not  a  node  is  deviating  from  its  ex¬ 
pected  behavior.  Using  a  defense-in-depth  methodology,  sensors  will 
automatically  correlate  similar  behavioral  alerts  across  multiple  cli¬ 
ents.  With  this  type  of  automation,  DCO  operators  can  validate  alerts 
at  a  higher  level,  in  less  time,  and  with  reduced  manpower.  Moreover, 
behavioral  alerting  will  decrease  the  number  of  false  positives  pro¬ 
duced  by  sensors,  allowing  operators  to  spend  more  time  responding 
to  real  incidents  rather  than  analyzing  nonevents. 

Operators  will  receive  alerts  in  an  actionable  form.  For  example,  if  a 
sensor  alerts  them  to  possible  data  exfiltration,  it  will  automatically 
store  the  data  stream  in  a  temporary  buffer  pending  operator  action.  If 
the  operator  confirms  the  alert,  then  the  act  of  confirmation  will  de¬ 
lete  the  data  in  question  before  it  is  delivered;  if  the  operator  deter¬ 
mines  that  the  alert  is  a  false  positive,  then  the  transmission  will  be  re¬ 
sumed  with  no  data  loss.  Similarly,  attempts  to  compromise  an  aircraft 
or  a  satellite  data  link  will  result  in  an  operator  alert  indicating  the 
source  of  the  attempt,  methods  used,  and  possible  attribution  based  on 
known  TTPs.  This  level  of  situational  awareness  enables  the  operator 
to  alert  the  component  commander  in  a  timely  manner  so  that  he  or 
she  can  take  appropriate  kinetic  or  nonkinetic  action  in  response  to 
the  attack. 

Finally,  situational  awareness  tools  will  offer  both  physical  and  logi¬ 
cal  mapping  of  data  and  nodes.  Since  the  cyber  domain  contains  both 
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data  and  the  nodes  that  process  it,  many  parts  of  the  domain  possess 
both  a  physical  and  a  logical  location.  For  example,  systems  used  to 
perform  space  launch  may  reside  at  an  Air  Force  base  thousands  of 
miles  from  the  actual  launch  location.  A  cyber  situational  awareness 
tool  must  be  able  to  depict  the  systems  both  as  a  physical  device  asso¬ 
ciated  with  a  given  location  and  as  a  logical  portion  of  the  space 
launch  network.  It  is  also  necessary  to  visualize  data  flow  so  that  op¬ 
erators  can  see  where  spikes  in  data  flow  occur,  where  data  is  diverted 
for  unknown  reasons,  and  where  it  has  stopped  flowing.  The  increased 
visualization  of  data  traversing  cyberspace  will  permit  operators  to  bet¬ 
ter  understand  and  react  to  changes  in  both  the  physical  and  virtual 
battlespace. 

To  conduct  cyber  operations  across  the  entire  domain,  we  will  de¬ 
velop  Airmen  with  the  foundational  knowledge  to  comprehend  tradi¬ 
tional  Internet-protocol-based  networks  as  well  as  radio-frequency  and 
proprietary-communications  networks.  Further,  these  warriors  must 
understand  not  only  how  devices  that  operate  in  the  cyber  domain  are 
designed  but  also  how  they  operate.  Just  as  a  pilot  must  have  knowl¬ 
edge  of  aerodynamic  fundamentals  to  understand  the  performance 
and  limitations  of  his  weapon  system,  so  must  cyber  warriors  possess 
a  foundational  grasp  of  the  cyber  domain  to  employ  cyber  weapon  sys¬ 
tems  properly. 

As  in  the  air  and  space  domains,  successful  deployment  of  weapon 
systems  in  a  combat  environment  demands  that  cyber  crews  develop 
competency  in  these  weapons  over  the  course  of  a  career.  Doing  so  re¬ 
quires  a  career-field-management  strategy  that  emphasizes  the  devel¬ 
opment  of  experience  and  expertise  tied  to  weapon  system  employ¬ 
ment.  Much  like  pilots,  cyber  warriors  will  be  assigned  to  a  mission 
track  (e.g.,  DODIN  operations,  DCOs,  or  OCOs)  and  a  weapon  system. 
During  initial  qualification  training,  operators  will  become  proficient 
in  the  configuration,  components,  design,  and  operation  of  their  sys¬ 
tem.  Over  the  course  of  one  or  more  operation  tours,  they  will  con¬ 
tinue  to  build  expertise  and  competence  in  the  deployment  of  that 
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weapon  system.  Like  members  of  the  flying  community,  those  opera¬ 
tors  will  have  opportunities  to  transition  to  different  systems  as  well  as 
serve  on  staff  or  career-broadening  tours.  Each  career  path  will  remain 
generally  distinct  in  technical  development  yet  emphasize  leadership, 
supervision,  and  cooperative  action  that  translates  to  broader  Air  Force 
and  joint  operational  expertise  over  time.  The  necessary  skills  and  ex¬ 
perience  will  be  normalized  with  the  joint  community  to  ensure  that 
forces  presented  to  combatant  commanders  provide  reliable  capabili¬ 
ties  consistent  with  those  of  the  other  services. 

The  Air  Force  will  train  cyber  operators  in  a  rigorous,  deliberate 
fashion  to  ensure  that  they  possess  the  foundational  skills  to  perform 
their  specific  mission.  This  training  will  encompass  networking  and 
computing  fundamentals  as  well  as  knowledge  of  data  transmission 
across  the  electromagnetic  spectrum,  operating  systems,  computer  de¬ 
sign  fundamentals,  and  electronic  circuit  theory.  Training  specific  to 
mission  areas  will  encompass  not  only  particular  toolsets  but  also  de¬ 
fensive  and  offensive  techniques.  Both  DCO  and  OCO  personnel  will 
routinely  rotate  into  DODIN  positions  to  guarantee  current  knowledge 
of  system  configuration,  defensive  posture,  and  terrain  familiarization. 


Conclusion 

Just  as  the  air  and  space  domains  took  time  to  grow  from  their  in¬ 
ceptions  to  fully  capable  war-fighting  domains,  so  is  the  cyber  domain 
poised  to  follow  the  same  arc.  That  domain  has  developed  at  a  rapid 
pace  from  a  novelty  and  mission-enhanced  commodity  to  a  mission- 
critical  capability  in  just  a  few  decades.  As  it  continues  to  progress,  the 
level  of  capability  offered  by  dedicated  operators  to  the  war  fighter  will 
also  increase  exponentially. 

We  can  compare  today's  cyber  power  to  airpower  sometime  during 
the  interwar  years.  Operators  have  developed  capabilities  and  demon¬ 
strated  their  effectiveness  to  combatant  commanders;  however,  war¬ 
fare  in  and  through  cyberspace  remains  underdeveloped.  Even  though 
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professionals  in  the  cyber  field  have  become  more  proficient  at  creat¬ 
ing  effects  in  the  domain  via  DODIN  as  well  as  DCO  and  OCO  opera¬ 
tions,  these  effects  are  still  not  well  integrated  into  a  combat  environ¬ 
ment.  As  was  the  case  with  airpower  before  the  beginning  of  World 
War  II,  operational  planners  are  not  sufficiently  versed  in  this  domain 
to  intuitively  envision  cyber's  contribution  to  decisive  battlefield  ef¬ 
fects  in  modern  form.  Partly  because  of  occasional  doubt  regarding  the 
probciency  of  cyber  capabilities,  their  effects  are  currently  considered 
"nonkinetic”  while  more  traditional  military  capabilities  produce  "ki¬ 
netic”  effects.  In  the  future,  cyber  warfare  will  prove  its  effectiveness 
on  par  with  more  traditional  capabilities,  blurring  the  line  between  ki¬ 
netic/  nonkinetic  effects.  By  then,  cyber  capabilities  will  have  become 
well-deliberated  strategic  alternatives  for  our  national  leaders  and 
combatant  commanders— recall  World  War  IPs  Battle  of  the  Beam, 
mentioned  above,  when  cyber  capabilities  were  the  brst  and  best  op¬ 
tion  to  defend  Great  Britain  against  German  bombing  raids. 

The  explosive  growth  in  cyber  today  and  the  bold  vision  articulated 
by  senior  leaders  throughout  the  DOD  promise  a  bright  future  for  this 
domain.  As  cyber  warriors  continue  to  develop  competence  and  effec¬ 
tiveness  in  their  weapon  systems,  the  capabilities  they  bring  to  the 
joint  bght  will  begin  to  show  their  true  potential.  As  we  plan  and  em¬ 
ploy  such  capabilities  with  greater  frequency  and  effectiveness,  com¬ 
manders  will  fully  understand  how  best  to  utilize  these  forces  to  fulfill 
mission  objectives.  Advances  in  technology,  organization,  and  opera¬ 
tor  expertise  will  continue  to  translate  into  unprecedented  battlefield 
effects.  © 
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